[ https://issues.apache.org/jira/browse/ZOOKEEPER-4259?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Damien Diederen resolved ZOOKEEPER-4259. ---------------------------------------- Fix Version/s: 3.8.0 Resolution: Fixed > Allow AdminServer to force https > -------------------------------- > > Key: ZOOKEEPER-4259 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4259 > Project: ZooKeeper > Issue Type: Improvement > Components: security > Affects Versions: 3.7.0 > Reporter: Norbert Kalmár > Assignee: Norbert Kalmár > Priority: Minor > Labels: pull-request-available > Fix For: 3.8.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > Since portunification (ZOOKEEPER-3371), AdminServer supports https. But there > is no way to disable http and allow https only. It is my understanding, that > to be FLIPS compliant, only https is allowed. This is one reason it is good > to have such a feature. > To enable https currently, we need to set these parameters in zoo.cfg: > {code:java} > ssl.quorum.keyStore.location=/tmp/zookeeper/keystore.jks > ssl.quorum.keyStore.password=password > ssl.quorum.trustStore.location=/tmp/zookeeper/truststore.jks > ssl.quorum.trustStore.password=password > admin.portUnification=true > {code} > I generated keystore and truststore with the following commands: > {code:java} > #create test/dev keystore/truststore (ZK runs only on localhost) > keytool -genkeypair -alias zk.dev -keyalg RSA -keysize 2048 -dname > "cn=zk.dev" -keypass password -keystore /tmp/zookeeper/keystore.jks -ext > san=dns:localhost -storepass password > keytool -exportcert -alias zk.dev -keystore /tmp/zookeeper/keystore.jks -file > /tmp/zookeeper/zk.dev.cer -rfc > keytool -keystore /tmp/zookeeper/truststore.jks -storepass password > -importcert -alias zk.dev -file /tmp/zookeeper/zk.dev.cer > #check > keytool -list -v -keystore /tmp/zookeeper/truststore.jks > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)